[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 Alan Modra changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #100 from Alan Modra --- fixed a while ago -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #99 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Alan Modra: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bd6a03d6975a96802b37741a99644570e52a72b commit 6bd6a03d6975a96802b37741a99644570e52a72b Author: Alan Modra Date: Wed Sep 27 15:14:00 2017 +0930 PR22216, infinite loop in readelf process_symbol_table This should make readelf bombproof given a fuzzed DT_HASH. Also removes a bogus check that would have resulted in wrong histograms. PR 22216 * readelf.c (process_symbol_table): Check that DT_HASH symbol chains are only visited once, and report an error if not. Display invalid symbol index if chain is out of range. Use the same logic when calculating histograms rather than the PR 17531 fix. Delete bogus check that chained index is less than number of buckets. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #98 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Maciej W. Rozycki: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9f02c3e29498fd9ecb1a9719c317c305fe509ae commit c9f02c3e29498fd9ecb1a9719c317c305fe509ae Author: Maciej W. Rozycki Date: Thu Feb 23 18:16:11 2017 + readelf: Fix incorrect "Version definition past end of section" message Fix a commit 74e1a04b9787 ("More fixes for reading corrupt ELF files.") `readelf --version-info' regression that caused "Version definition past end of section" to be always printed at the end, even with good section data. For example with the `mips-linux' target we get: $ cat ver_def.s .data .globl new_foo .type new_foo, %object new_foo: .symver new_foo, foo@@ver_foo $ cat ver_def.ver { global: *foo*; local: *; }; $ as -o ver_def.o ver_def.s $ ld -e 0 --export-dynamic --version-script=ver_def.ver -o ver_def ver_def.o $ readelf -V ver_def Version symbols section '.gnu.version' contains 4 entries: Addr: 007e Offset: 0x01007e Link: 2 (.dynsym) 000: 0 (*local*) 2 (ver_foo) 1 (*global*) 2 (ver_foo) Version definition section '.gnu.version_d' contains 2 entries: Addr: 0x0088 Offset: 0x010088 Link: 3 (.dynstr) 00: Rev: 1 Flags: BASE Index: 1 Cnt: 1 Name: ver_def 0x001c: Rev: 1 Flags: none Index: 2 Cnt: 1 Name: ver_foo Version definition past end of section $ The cause is the `if (idx + ent.vd_next <= idx)' condition introduced to ensure forward progress, which however always triggers for good version definition section data as the last entry will have its `vd_next' value set to 0. Adjust the condition then, to say `if (idx + ent.vd_next < idx)' instead and to ensure forward progress limit the number of entries processed to the size of the version definition section, removing the problematic message from output quoted above, while ensuring the original PR 17531 test case is still handled gracefully. Add a suitable test case so that we have `readelf --version-info' coverage; due to the lack of infrastructure needed to run the linker in the `binutils' test suite and limited justification to implement it add a new `readelf.exp' script to the `ld' test suite instead, intended to gather any `readelf' test cases that require the linker to be run. If ever we decide to have linker infrastructure added to the `binutils' test suite, then the script can be moved between the test suites. binutils/ * readelf.c (process_version_sections) : Limit the number of entries processed by the section size. Don't break out of the loop if `ent.vd_next' is 0. ld/ * testsuite/ld-elf/ver_def.d: New test. * testsuite/ld-elf/ver_def.ld: New test linker script. * testsuite/ld-elf/ver_def.ver: New test version script. * testsuite/ld-elf/ver_def.s: New test source. * testsuite/ld-elf/readelf.exp: New test script. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 Nick Clifton changed: What|Removed |Added CC||vpbalint at silentsignal dot hu --- Comment #97 from Nick Clifton --- *** Bug 19518 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #96 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The binutils-2_25-branch branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd Author: Nick Clifton ni...@redhat.com Date: Tue Mar 24 11:31:37 2015 + Import fixes for invalid memory access issues in the binutils DWARF parser from the trunk sources. PR binutils/17512 * dwarf.c (display_debug_loc): Pacify the undefined behaviour sanitizer by simplifying address difference calculation. (struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in order to avoid arithmetic overflows. (frame_display_row): Cast cfa_offset before printing it. (display_debug_frames): Likewise. Check for an unexpected segment size. Chnage type of 'l' local to dwarf_vma and cast it back to an int when printing. (process_cu_tu_index): Tighten check for an invalid ncols value. * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-13 Nick Clifton ni...@redhat.com PR binutils/17512 * dwarf.c (read_leb128): Fix test for shift becoming too large. PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large. 2015-02-13 Alan Modra amo...@gmail.com * dwarf.c: Formatting, whitespace. (process_debug_info): Style fix. 2015-02-11 Nick Clifton ni...@redhat.com PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Work around compiler bug checking address ranges. (display_debug_frames): Likewise. (display_gdb_index): Likewise. (process_cu_tu_index): Add range check on the ncols value. 2015-02-10 Nick Clifton ni...@redhat.com PR binutils/17512 * dwarf.c (eh_addr_size): Use an unsigned type. (size_of_encoded_value): Return an unsigned type. (read_leb128): Break if the shift becomes too big. (process_extended_line_op): Do not read the address if the length is too long. (read_cie): Warn and fail if the pointer size or segment size are too big. * dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect structure definition. (DWARF2_External_PubNames): Likewise. (DWARF2_External_CompUnit): Likewise. (DWARF2_External_ARange): Likewise. (DWARF2_Internal_LineInfo): Use dwarf_vma type for li_prologue_length. (eh_addr_size): Update prototype. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for offset. 2015-02-06 Nick Clifton ni...@redhat.com PR binutils/17512 * dwarf.c (display_debug_frames): Fix range checks to work on 32-bit binaries complied on a 64-bit host. PR binutils/17531 * dwarf.c (xcmalloc): Fail if the arguments are too big. (xcrealloc): Likewise. (xcalloc2): Likewise. * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-05 Alan Modra amo...@gmail.com PR binutils/17926 * dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg. 2015-02-04 Nick Clifton ni...@redhat.com PR binutils/17531 * dwarf.c (read_and_display_attr_value): Test for a block length being so long that it wraps around to before the start of the block. (process_debug_info): Test for section_begin wrapping around to before the start of the section. (display_gdb_index): Test for num_cus being so large that the end address wraps around to before the start of the section. (process_cu_tu_index): Test for j being so large that the section index pool wraps around to before the start of the section. 2015-02-03 Nick Clifton ni...@redhat.com PR binutils/17531 * dwarf.c (process_debug_info): Add range check. (display_debug_pubnames_worker): Likewise. (display_gdb_index): Fix range check. (process_cu_tu_index): Add range check. * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t.
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #95 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The binutils-2_25-branch branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea commit 1dead8aee09e9ba148f6f44040122f62b5e4acea Author: Nick Clifton ni...@redhat.com Date: Tue Mar 24 10:30:34 2015 + Import security fixes for readelf from the master branch: 2015-02-26 Nick Clifton ni...@redhat.com PR binutils/17512 * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-24 Mike Frysinger vap...@gentoo.org PR binutils/17531 * readelf.c (process_symbol_table): Declare chained. Increment it in every loop. Abort when chained is larger than nchains. Move error check outside of chain loop. 2015-02-10 Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (dump_relocations): Handle printing offsets which are MIN_INT. (process_corefile_note_segment): Add range check of the namesz field. 2015-02-06 Nick Clifton ni...@redhat.com * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-03 Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. 2015-01-05 Nick Clifton ni...@redhat.com * readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not be indentified. (dynamic_section_mips_val): Warn if the timestamp is invalid. (print_mips_got_entry): Add a data_end parameter. Warn if a read would go beyond the end of the data, and return an error value. (process_mips_specific): Do not read options from beyond the end of the section. Correct code to display optional data at the end of an option. Warn if there are too many GOT symbols. Update calls to print_mips_got_entry, and handle error returns. 2014-12-08 Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (dump_ia64_unwind): Add range checks. (slurp_ia64_unwind_table): Change to a boolean function. Add range checks. (process_version_sections): Add range checks. (get_symbol_version_string): Add check for missing section headers. 2014-12-03 Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (get_machine_flags): Replace call to abort with a warning message and a return value. (get_elf_section_flags): Likewise. (get_symbol_visibility): Likewise. (get_ia64_symbol_other): Likewise. (get_ia64_symbol_other): Likewise. (is_32bit_abs_reloc): Likewise. (apply_relocations): Likewise. (display_arm_attribute): Likewise. 2014-12-01 Nick Clifton ni...@redhat.com PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. 2014-12-01 Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (process_archive): Add range checks. 2014-11-28 Alan Modra amo...@gmail.com * readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to unsigned long for %lx. (get_64bit_elf_symbols, process_section_groups): Likewise. 2014-11-27 Espen Grindhaug es...@grindhaug.org Nick Clifton ni...@redhat.com PR binutils/17531 * readelf.c (get_data): Move excessive length check to earlier on in the function and allow for wraparound in the arithmetic. (get_32bit_elf_symbols): Terminate early if the section size is zero. Check for an invalid sh_entsize. Check for an index section with an invalid size. (get_64bit_elf_symbols): Likewise. (process_section_groups): Check for an invalid
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #94 from Nick Clifton nickc at redhat dot com --- Hi Alexander, (In reply to Alexander Cherepanov from comment #93) Created attachment 8127 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) valgrind Files: 1 Errors: 5 Invalid read of size ... I cannot reproduce these failures. :-{ Maybe they have already been fixed by one of the patches for PR 17512 ? Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #92 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) Files: 2 Errors: 2 *** Segmentation fault Fixed. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #91 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 commit ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 Author: Nick Clifton ni...@redhat.com Date: Fri Feb 13 14:17:18 2015 + Fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #93 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8127 -- https://sourceware.org/bugzilla/attachment.cgi?id=8127action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) valgrind Files: 1 Errors: 5 Invalid read of size ... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #88 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=362beea4b400bcd5aca3bb1215a77e9e749b07fe commit 362beea4b400bcd5aca3bb1215a77e9e749b07fe Author: Nick Clifton ni...@redhat.com Date: Wed Feb 11 13:05:04 2015 + Fixes for invalid memory accesses triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Work around compiler bug checking address ranges. (display_debug_frames): Likewise. (display_gdb_index): Likewise. (process_cu_tu_index): Add range check on the ncols value. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #89 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) Errors: 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) Fixed. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #83 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03a91817f163986f10cb843f58e2f2cd9186e4f0 commit 03a91817f163986f10cb843f58e2f2cd9186e4f0 Author: Nick Clifton ni...@redhat.com Date: Tue Feb 10 17:13:31 2015 + Fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #86 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan This is an experimental report. Attached samples expose undefined behavior. The errors are collected with binutils built with gcc-4.9 -fsanitize=undefined (exact configure is in configure-ubsan.txt). It it's useful I'll integrate it into the usual reports. It it's not useful feel free to ignore it. I do find it useful, so please do integrate it into your reports. Errors: 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself 1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself These should all be fixed now. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #85 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade commit 834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade Author: Nick Clifton ni...@redhat.com Date: Tue Feb 10 17:53:53 2015 + Fix memory access violations discovered by running readelf compiled with undefined memory access sanitization on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for offset. * readelf.c (dump_relocations): Handle printing offsets which are MIN_INT. (process_corefile_note_segment): Add range check of the namesz field. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #87 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8119 -- https://sourceware.org/bugzilla/attachment.cgi?id=8119action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) valgrind Files: 1 Errors: 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) -- catchsegv Files: 2 Errors: 2 *** Segmentation fault -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #82 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8108 -- https://sourceware.org/bugzilla/attachment.cgi?id=8108action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan This is an experimental report. Attached samples expose undefined behavior. The errors are collected with binutils built with gcc-4.9 -fsanitize=undefined (exact configure is in configure-ubsan.txt). It it's useful I'll integrate it into the usual reports. It it's not useful feel free to ignore it. -- ubsan Files: 12 Errors: 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself 1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #78 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8490fb409a37072389da7cafc3a92255e9a34c98 commit 8490fb409a37072389da7cafc3a92255e9a34c98 Author: Nick Clifton ni...@redhat.com Date: Fri Feb 6 12:19:20 2015 + Fix memory access violations triggered by processing fuzzed binaries with a 32-bit version of readelf, compiled on a 64-bit host. PR binutils/17531 * dwarf.c (xcmalloc): Fail if the arguments are too big. (xcrealloc): Likewise. (xcalloc2): Likewise. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #80 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) Errors: 8 Conditional jump or move depends on uninitialised value(s) 1 Invalid write of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ... These should all be fixed now. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #76 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8102 -- https://sourceware.org/bugzilla/attachment.cgi?id=8102action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) Files: 2 Errors: 8 Conditional jump or move depends on uninitialised value(s) 1 Invalid write of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #74 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f3853b34448594744f284fa96f26e41fd533a50d commit f3853b34448594744f284fa96f26e41fd533a50d Author: Nick Clifton ni...@redhat.com Date: Wed Feb 4 10:40:05 2015 + More fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (read_and_display_attr_value): Test for a block length being so long that it wraps around to before the start of the block. (process_debug_info): Test for section_begin wrapping around to before the start of the section. (display_gdb_index): Test for num_cus being so large that the end address wraps around to before the start of the section. (process_cu_tu_index): Test for j being so large that the section index pool wraps around to before the start of the section. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #75 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Not sure if it supposed to be fixed already but the following samples still crash for me (without valgrind): 0239616b 0d903ffb 206b89bd 5b5f0592 705e010d 731b937f 8a415f90 908c0847 e6b58147 Fascinating. Valgrind was actually preventing the seg-faults from occurring. I would never have suspected that. Anyway, I have checked in another patch and these tests should all pass now, bit with and without valgrind. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #71 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=570286220e28e606e199b37a06cd199cadb592ba commit 570286220e28e606e199b37a06cd199cadb592ba Author: Nick Clifton ni...@redhat.com Date: Tue Feb 3 20:42:36 2015 + Fix memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Add range check. (display_debug_pubnames_worker): Likewise. (display_gdb_index): Fix range check. (process_cu_tu_index): Add range check. * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #70 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8095 -- https://sourceware.org/bugzilla/attachment.cgi?id=8095action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) More problems found with 32-bit binutils: built with -m32 on 64-bit host. -- valgrind Files: 39 Errors: 39 Conditional jump or move depends on uninitialised value(s) 105 Invalid read of size ... 1 Invalid write of size ... 24 Process terminating with default action of signal 11 (SIGSEGV) 7 Use of uninitialised value of size ... -- gdb Files: 4 Errors: 4 No assertion info in gdb backtrace. -- catchsegv Files: 11 Errors: 11 *** Segmentation fault -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #69 from joseph at codesourcery dot com joseph at codesourcery dot com --- On Mon, 12 Jan 2015, cvs-commit at gcc dot gnu.org wrote: (xcalloc2): New function. Like xcalloc, but checks for overflow. * dwarf.h (xcalloc2): Prototype. This should not be needed. xcalloc calls calloc, which should check for overflow itself. I see libiberty has a broken version of calloc, but since calloc is a C89 function no modern system should be using libiberty's version. If we wish to allow for systems with broken calloc, libiberty's configure should detect such systems (based on a blacklist of broken systems) and substitute a working calloc. (On the other hand, all the allocation macros in libiberty.h that do multiplications do need replacing by versions that check for overflow - that is, the existing macros need to be made to check for overflow, rather than having separate checking and non-checking versions.) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #65 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72c61a0d1ef445f99305859b66450da60ec6e0cb commit 72c61a0d1ef445f99305859b66450da60ec6e0cb Author: Nick Clifton ni...@redhat.com Date: Mon Jan 12 16:08:41 2015 + More fixes for memory access errors when running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Check for abbrev_base being larger than the section size. (process_cu_tu_index): Use xcalloc2 to allocate the CU and TU arrays. (xcalloc2): New function. Like xcalloc, but checks for overflow. * dwarf.h (xcalloc2): Prototype. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #66 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Errors: 4 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ... Fixed. :-) Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #67 from cvs-commit at gcc dot gnu.org cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton ni...@sourceware.org: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1306a7421c764d1f5e2a08afdb9b5818662c9e9c commit 1306a7421c764d1f5e2a08afdb9b5818662c9e9c Author: Nick Clifton ni...@redhat.com Date: Mon Jan 12 17:28:55 2015 + Another fix for memory access errors trigegred by running readelf on a corrupt binary. PR binutils/17531 * dwarf.c (display_debug_addr): Use xcalloc to allocate the debug_addr_info array. Check for an address_base that is too large. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #68 from Nick Clifton nickc at redhat dot com --- Hi Alexander, Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Errors: 6 Conditional jump or move depends on uninitialised value(s) 8 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ... Also fixed. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #63 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8060 -- https://sourceware.org/bugzilla/attachment.cgi?id=8060action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 1 Errors: 4 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #64 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8061 -- https://sourceware.org/bugzilla/attachment.cgi?id=8061action=edit Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 1 Errors: 6 Conditional jump or move depends on uninitialised value(s) 8 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 --- Comment #59 from Alexander Cherepanov cherepan at mccme dot ru --- Created attachment 8037 -- https://sourceware.org/bugzilla/attachment.cgi?id=8037action=edit More problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` valgrind Files: 5 Errors: 12 Invalid read of size ... 5 Invalid write of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) -- gdb Files: 2 Errors: 1 No assertion info in gdb backtrace. 1 readelf.c:14056: process_mips_specific: Assertion `global_end = local_end' failed. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17531] readelf crashes on fuzzed samples
https://sourceware.org/bugzilla/show_bug.cgi?id=17531 Alexander Cherepanov cherepan at mccme dot ru changed: What|Removed |Added Summary|readelf -a crashes on |readelf crashes on fuzzed |fuzzed samples |samples -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils